Information Commissioner’s Office 
Internal Audit Report: High Priority Investigations 
December 2020 


maZars 


Contents 


01 Introduction 

02 Background 

03 Key Findings 

3.1 Examples of areas where controls are operating reliably 
3.2 Risk Management 

3.3 Value for Money 

3.4 Sector Comparison 


04 Areas for Further Improvement and Action Plan 


oo RF Rw HY DY =| = 


A1 Audit Information 


—_— 


Disclaimer 


This report (“Report”) was prepared by Mazars LLP at the request of the Information Commissioners Office (ICO) and terms for the preparation and scope of the Report have been agreed with them. 
The matters raised in this Report are only those which came to our attention during our internal audit work. Whilst every care has been taken to ensure that the information provided in this Report is 
as accurate as possible, Internal Audit have only been able to base findings on the information and documentation provided and consequently no complete guarantee can be given that this Report is 
necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. 


The Report was prepared solely for the use and benefit the ICO and to the fullest extent permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who 
purports to use or rely for any reason whatsoever on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification. Accordingly, any reliance placed on the 
Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification by any third party is entirely at their own risk. Please refer to the Statement of Responsibility in 
Appendix A1of this report for further information about responsibilities, limitations and confidentiality. 


mMaZars 


01 Introduction 


As part of the agreed Internal Audit Plan for 2020/21, we have undertaken 
a review of the Information Commissioner’s Office (ICO) arrangements for 
high priority investigations. We have reviewed key controls to assess 
whether the ICO’s framework and processes are designed and operating 
effectively. This included the following risk areas: 


Methodology for approving an investigation; 
Risk Assessments; 

Approval of Investigations; 

Resource; 

Investigation Monitoring; and, 

Reporting. 


Full details of the risks covered are included in Appendix A1. 


We are grateful to the Director of High Priority Investigations, Intelligence, 
Insight & Compliance and Relationship Management Service, the Head of 
High Priority Investigations, the Group Manager of High Priority 
Investigations and other staff for their assistance during the audit. 


The fieldwork for this audit was completed whilst government measures 
were in place in response to the coronavirus pandemic (Covid-19). Whilst 
we completed this audit remotely, we have been able to obtain all relevant 
documentation and/or review evidence via screen sharing functionality to 
enable us to complete the work. 


This report summarises the results of the internal audit work and, 
therefore, does not include all matters that came to our attention during the 
audit. Any such matters have been discussed with the relevant staff. 


02 Background 


The ICO’s core role it is to uphold information rights in the public interest. 
As part of The Commissioner’s priorities to uphold information rights, the 
ICO investigate thematic issues and emerging technologies under the 
legislation regulated; the Data Protection Act 2018, General Data 
Protection Regulation (GDPR) and the Freedom of Information, 2000. 
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High Priority Investigations (HPIs) are cases or issues that: 


e Are of wide and/or serious public concern (including political or 
media interest); 

e Are particularly novel or intrusive activities where there is a 
significant risk to the public and/or the ICO’s reputation; 

e Relate to an evolving issue or emerging technology; 

e Involves persons entrusted with a prominent public function, by 
virtue of their position and the influence that they may hold; 

e Involve likely need for change in legislation or significant changes 
to data protection practices; or 

e Need a surge of resource or increase in priority to conclude a case 
that otherwise would cause reputational damage. 


The ICO have established a HPI Team, which has been in place since 
May 2019. The team is responsible for tackling HPls in line with the above 
criteria specifically. The investigations are often in areas where the ICO is 
developing its policy position and can be used to develop or change 
current legislation. 


In relation to the methodology for approving an investigation, the HPI 
Team are currently developing a HPI specific operating model which will 
outline existing processes; the key roles, responsibilities, and processes 
for managing HPls. Whilst the operating model is being developed, HPls 
are currently managed through the ICO’s overarching Investigations 
Manual which sets out a high-level summary of the stages involved with 
managing a HPI. 


Each Investigation requires a Tasking Initiation Document (‘TID’) to be 
populated to supply the relevant details regarding the issue at hand, 
contraventions of the legislation and the risk assessment scoring. The TID 
will also set out the resource required based on the risks identified and can 
also provide a foundation for any accompanying strategy documents, such 
as press and complaints handling strategies. The TID is then subsequently 
presented for approval by the Executive Team (ET). 


Quality control and investigation monitoring links with the risk assessment 
of each investigation. For example, the investigation may require weekly 
meetings with senior leadership, or monthly reporting to both the HPI 


Team and ET. ET meet monthly to review the HPI dashboard which 
ensures each investigation is subject to strategic scrutiny. 


03 Key Findings 


Assurance on effectiveness of internal controls 


Adequate Assurance 


ate lice)arel(ss 


For the internal audit work carried out (please see Appendix A1 for 
the detailed scope and definitions of the assurance ratings), we have 
provided Adequate Assurance. 


Our audit has identified a number of weaknesses that should be 
addressed to improve the control environment. For instance, our review 
identified issues which the ICO should address in the following areas: 


e Recording the rationale behind the decision made during 
initial prioritisation of cases; 


e — Establishing clear roles and responsibilities in relation to 
making key decisions throughout the life of an investigation; 


e Developing longer-term capacity monitoring mechanisms to 
improve preparedness for potential future investigations; 
and, 


e Ensure that lessons learned are performed for closed 
investigations and arrangements are defined. 


Please see Section 04 for further detail in respect of the 
recommendations made from our review. 
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3.1 Examples of areas where controls are operating 
reliably 


The ICO’s overarching Investigations Manual sets out the process of 
prioritisation and the criteria of each of the five-category system 
developed to prioritise cases. The five categories are as follows: 


P1 — High risk/ impact; 

P2H — High risk/ medium impact; 

P2M — Medium risk/ high impact; 

P3 — Medium risk/ medium impact; and, 
P4 — Low risk/ low impact. 


O 0 0 0 0 


We reviewed the definitions and criteria as set out in the ICO’s 
Investigations Manual and confirmed that the principles outlined are 
clear in what is expected to meet high priority status. The ICO 
ensure by use of examples that there is a clear separation of what is 
classed as a high priority investigation. 


Preceding prioritisation, all investigations begin with the collation of 
evidence which decisions can be based on. This process is 
performed by the ICO’s Intelligence Team before resource is 
allocated to manage the investigation appropriately. The ICO’s 
Investigations Manual defines what sources of evidence can be 
considered by the Intelligence Team. 


We sample tested four High Priority Investigations and reviewed the 
respective TIDs, confirming that each case was clearly able to 
demonstrate that appropriate evidence had ben collated and 
documented within the background of each TID, prior to approval. 


Following prioritisation, P1 and P2H cases (high priority) are formally 
risk assessed using the assessment tool; Management of Risk in 
Law Enforcement (MoRiLE). MoRIiLE is an intelligence assessment 
tool developed by the Home Office which uses a suite of risk 
prioritisation models to assess information. The model allows the 
ICO to measure operational and tactical risk based on assessment 
of a number of threat areas, in particular reputational risk. 


We sample tested the four High Priority Investigations and confirmed 
that each had appropriately used the MoRiLE assessment tool to 


risk assess the information. We traced the assessment score to the 
TID for each Investigation and further confirmed good practice by 
the ICO in that the key risks identified from the MoRiLE assessment 
are extracted and outlined within the TID for approval. 


e As well as each Investigation’s TID including the overall risk score 
resulting from the MoRiLE assessment, they also include details of 
the resource that will be required to be able to appropriately deliver a 
robust investigation. The ICO’s TID also expects that the roles of the 
required resources are outlined for review by ET, prior to approval. 


Our review of the four sampled HPI’s noted good practice in that all 
four TIDs were able to adequately demonstrate the individuals and 
their responsibilities required to be able to deliver the investigation. 


e As per the Investigations Manual, High Priority Investigations should 
be presented to the Director of High Priority Investigations and 
ultimately presented for approval at ET. 


Our review of the four HPIs sample tested identified that two 
Investigations were not able to demonstrate that appropriate 
approval was sought at ET. However, discussion with management 
confirmed that these two Investigations pre-dated the Investigations 
Manual and the existence of the HPI department and therefore 
approval had not been formally recorded. The remaining two 
Investigations appropriately demonstrated approval by The 
Information Commissioner following review of the TID at an ET 
meeting. We have not raised a recommendation in respect of the 
two instances found as these pre-date the new processes, which the 
second and third sample demonstrate effective operation. 


e Team Managers and Group Managers continually review and 
assess the progress of HPls to ensure that investigations are 
conducted in a timely and effective manner, per the Investigations 
Manual. This process is formalised through monthly HPI team 
meetings and monthly ET reporting. 


Our review confirmed that the HPI Team had appropriately updated 
and reviewed HPIs via the HPI Dashboard for the last three months; 
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July, August and September, which is subsequently reported to ET 
for scrutiny and review. 


3.2 Risk Management 


Our review of the ICO’s Risk and Opportunity Register 
acknowledged that the ICO has established the following strategic 
risk which relates to High Priority Investigations: 


Risk 31 (R65) — “We fail to manage high profile investigations in 
the most efficient and effective way possible, minimising the 
resultant impact of the investigation.” 


Risk rating: 9 (Amber). Target rating: 4 (Green). 


The strategic risk has the following mitigating controls listed which relate 
to the scope of this review: 


e New Investigations Directors in place; 

e High priority case process identified and bedding in; 

e New process for bidding for resource agreed by SLT and to be 
piloted in Q4. Reporting mechanism enhanced; and, 

e Full investigative team in place from 28 May 2019. 


Based on our findings and observations we were able to confirm that 
there has since been the appointment of the Director of High Priority 
Investigations, along with the High Priority Investigations Team. The 
team has been established since the 28 May 2019 and the Director of 
HPls was appointed in September 2020. 


As identified in the background of this review, the HPI Team are 
currently working on the development of a specific HPI operating model, 
however, this will bring together the current operating procedures, along 
with relevant processes as outlined within the Investigations Manual. 


Our review of the Risk and Opportunity Register, as above, highlighted 
the strategic risk R65 has a risk rating of 9 and RAG; Amber. However, 
further review of the strategic risk identified that the ICO had last 
reviewed this risk on the 19 July 2019. Whilst we appreciate that there 
have been changes to the HPI Team and ownership, we have raised a 
recommendation in Section 04, 4.5 to ensure that risk management and 
monitoring processes are embedded moving forward. 


3.3 Value for Money 


Value for Money can often be difficult to derive in an investigatory or 
inquiry context due to the fact the nature of activity is extremely varied 
depending on the investigation at hand. For instance, investigations will 
vary in complexity as well as involvement of Policy, legislative or other 
requirements. The efficiency and effectiveness are also directly impacted 
by the nature of what is being investigated and whether there are 
corresponding parties and external resources required to be involved. As a 
result, attempts to create efficiency savings increases the risk of possible 
failure, which could lead to reputational damage that may outweigh any 
potential savings created. 


The use of electronic data analytical tools can help to reduce the burden of 
manual data checking and interrogation. These can be aided by ease of 
accessibility of information and the use of standard forms and processes, 
where possible. As previously confirmed, our review acknowledged that 
the ICO’s HPI Team are currently working on developing a specific HPI 
Operating Model which will support and already established Investigations 
Manual. 


The use of specialist staff, both increases the effectiveness of 
investigations, as it means there are multiple skills utilised, and reduces 
the cost requirements of relying on outside specialists if they are required. 
Provided there is enough work to fill their time, these provide a good 
source of value for money. 


3.4 Sector Comparison 


By comparing the equivalent of the investigation process to that of other 
regulators we work with, we have identified common themes of good 
practice across the sector. These include: 


e Focusing resources on areas of greatest risk; 

e A regime of continuous monitoring; 

e Improved early identification, and the subsequent 
management, of issues; 

e Continuous improvement driven by lessons learned reviews; 

e Appropriate and timely revision to policies & procedures; and 

e Proportionate engagement with partner agencies. 
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In relation to our assessment of the ICO’s control framework compared to 
those of the key themes from others within the sector, we have largely 
found that the ICO operative an effective control framework with strong 
processes as we have seen elsewhere. There is however, one area for 
improvement we identified relative to the ICO’s lessons learned processes. 
We have therefore put forward a recommendation to strengthen the ICO’s 
performance in light of good practice we have reviewed elsewhere. 


Whilst comparing the ICO’s control environment to that of others across 
the sector, we identified the use of a ‘case management system’ is 
something the ICO may wish to consider. Currently the HPI Team do not 
use a case management system for managing HPls. The ICO’s 
SharePoint, is used as an organisation-wide repository system, and in 
relation to HPIs is used to store key case information and decisions made. 
The relatively low number of HPIs currently ongoing may preclude a case 
management system from being a cost-effective solution, however as the 
ICO’s HPI Team and Investigations grow, this is something that the ICO 
may wish to perform a cost benefit analysis to determine whether a system 
would be worthwhile. 


For instance, a case management system will bring benefits such as: 


e Data is kept in a single, central location that is easily accessible. 
Less time is therefore spent looking for key documents; 

e Some case management systems have the functionality for data 
analysis, enabling trends and patterns to be identified; 

e Enhanced management oversight over investigation progress; and 

e Improved compliance with data retention requirements. 


04 Areas for Further Improvement and Action Plan 


Definitions for the levels of assurance and recommendations used within our reports are included in Appendix A1. 


We identified areas where there is scope for improvement in the control environment. The matters arising have been discussed with management, to whom we 


have made recommendations. The recommendations are detailed in the management action plan below. 


Observation/Risk Recommendation Priority | Management response Timescale/ 
responsibility 


Prioritisation Rationale 


Observation: As part of the initial triage process 
of all investigations, the ICO use a priority 
framework (P1-P4) to give each 'matter' a 
prioritisation rating to inform decisions about 
resource allocation and management of the 
investigation. 


Our review identified that the application of the 
framework is inconsistently recorded, with 
varying levels of evidence to demonstrate the 
rationale behind the priority rating given. 


During our sample testing, we identified one 
instance where the ICO were unable to provide 
any evidence of the rationale and recording of 
the initially noted prioritisation score, which we 
later confirmed had changed from a P2H to a P1 
due to further review of information having been 
made available for appropriate scrutiny. Further 
discussion with management identified that this 
particular HPI is currently being managed 
outside the HPI department. 


Risk: Prioritisation and the rationale is not 
appropriately recorded or approved. 
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The ICO should ensure that all 
matters and potential investigations 
are prioritised using the P1-P4 
framework, and the supporting 
rationale along with the concluding 
rating, is documented to allow 
scrutiny opportunity where 
applicable. 


The ICO may also wish to consider 
the stage at which scrutiny and 
approval is sought for prioritisation. 
l.e. whether the priority ratings and 
rationale are reviewed and 
approved before being processed 
to the next stage. 


This observation is reflective of 
how the wider organisation 
manage the P1-P4 process and is 
not a reflection on HPI 
specifically. 


Where a case becomes a HPI — 
the P1-P4 is recorded on the TID, 
which also sets out clearly the 
areas of risk and reasons why it is 
a high priority. 


Responsibility 
—JH 


Timescale — 
end of March 
2021 


Observation/Risk Recommendation Priority | Management response Timescale/ 
responsibility 


4.2 Strategic Risk Review 


Observation: As part of our risk management 
review, we identified that the ICO’s Risk and 
Opportunity Register includes a strategic risk 
relating to High Priority Investigations, however 
the risk was last reviewed on the 29t July 2019. 


Risk: The ICO’s do not appropriately monitor risk 
and mitigating controls surrounding HPIs, 
leading to strategic information being outdated 
and not reflecting the current risk of HPIs. 


4.3 Lessons Learned 


Observation: The ICO’s Investigations Manual 
states that; for any learning to be beneficial for 
larger investigations and operations, the lessons 
learned process should be coordinated. These 
lessons learned should subsequently be 
evaluated by an appropriate person who has not 
been involved in the investigation or operation 
and can consider the issues objectively and 
independently (considering the need for a 
practised facilitator). 


Our review identified that the ICO has yet to 
define roles and responsibilities for HPls, in 
relation to an independent review being 
performed for lessons learned. 


We further identified that the ICO has only had 
one HPI close since the HPI team formed on the 
28 May 2019. The Investigation closed in 
October 2019, when an Investigation Closure 
Record had been documented to outline the key 
findings and outcomes of the investigation, 
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The ICO should review the 
strategic risk relating to HPIs, 
updating any information and risk 
rating where applicable. 


The review of strategic risk should 
be regular and should be 
embedded into management 
processes for reporting and 
decision-making purposes. 


The ICO should ensure that the 
design, expectations, roles and 
responsibilities of lessons learned 
for HPIs is established when 
developing the HPI Operating 
Model. 


As soon as possible, the ICO 
should ensure that the 
Investigation identified in our 
testing goes through a formal 
lesson learned process, to 
complete the required template. 


The ICO may also wish to consider 
whether there are less formal 
lessons learned processes 
developed during the investigation, 
such that good and bad practice 
can be shared earlier. 
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This risk was allocated to a 
Director who had left the 


Responsibility 
Anthony 


organisation. Risk now transferred Luhman 


to Anthony Luhman — Director 


HPI. 


HPI has shared a Lessons 
Learned template as well as our 
process for assessing our 
knowledge, Effectiveness and 
Efficiency to demonstrate clear 


processes. 


Processes have been completed 
in respect of Lessons Learned for 
High Priority cases. Whilst HPI 
conducted the lessons learned, 
they reflected high priority cases 
tasked to the Investigations 
department prior to HPI forming 


(Op C, Op L). 


Complete by 
16 February 
2021 


Timescale — 
by end March 
2021 


Responsibility 
— James 
Hayward 


Observation/Risk Recommendation Priority | Management response Timescale/ 
responsibility 


4.4 


however no formal Lessons learned have been 


performed for this HPI. 


The ICO have developed a template for lessons 
learned to capture the key finding. At the time of 
the audit, this had not been completed for any 


investigations. 


In addition, we have been provided with meeting 
notes to demonstrate that one lessons learnt 
have been considered. This could go further by 
completing the template and providing formal 


actions from the meeting. 


Risk: Lessons are not learned from the closure 
of Investigations, leading to the ICO not realising 
any good or bad practice experiences that can 


develop current processes. 


Investigation Decision Making and Review 


Observation: The ICO currently use a centralised 
SharePoint to record where key decisions have 
been made and where any items have been 
saved for approval. The SharePoint also allows 
items to be allocated to individuals to 
demonstrate and record where approval has 
been sought. However, the ICO’s overarching 
Investigation Manual does not detail what 
decisions and key points should be recorded and 


approved, and who is responsible. 


We further identified that there are no expected 
timescales or key reporting points for providing 
updates to ET and how much involvement ET 


should have post approval. 
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As part of the development of the 
HPI Operating Model, the ICO 
should ensure that processes are 
clearly defined with regard to 
expected key review points and 
key decisions. This should also 
include the involvement and 
delegated authority of the 
Executive Team. This will therefore 
ensure a consistent approach is 
being applied across all 
investigations. 


Additionally, when documenting 
such processes in relation to 
decision making, the ICO should 


HPI has demonstrated the 
decision-making process and how 
it is recorded within the case files. 


HPI have demonstrated that there 
are monthly reporting points for 
providing updates to ET and the 
Audit comments on update 
reports being provided ona 
monthly basis. 


There are key Investigative 
Principles regarding the 
independence of an investigation, 
and the importance of separation 
between the day to day running of 


Responsibility 
Melissa 

Mathieson/Ant 
hony Luhman 


Completed 
March 2021 


Observation/Risk Recommendation Priority | Management response Timescale/ 
responsibility 


4.5 


Risk: High priority investigations are not 
reviewed and approved at key/ decision making 
stages of the investigation. 


Capacity Monitoring 


Observation: The ICO have developed a 'HPI 
Capacity Tracker’ which is designed to review 
resourcing availability for the forthcoming two 
weeks within the HPI Team. The tracker records 
the expected working time spent on current 
investigations and subsequently computes this 
into a % of total capacity, which provides a RAG 
rating based on availability. The two-week 
forward looking view was initially designed to 
reflect dynamic and agile working requirements 
during the response to COVID-19. 


Whilst we appreciate this is a clear and a well- 
designed control to monitor resource capacity; 
providing a tangible RAG and % capacity 
indicator during COVID times, the tracker 
remains short-sighted and the ICO could use this 
to predict capacity greater than two weeks — 
better preparing for gaps and pipeline 
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ensure that timescales and 
responsibility are clearly defined. 


The ICO should ensure that the 
current capacity tracker is 
developed to allow longer-term 
resource planning to better inform 
decisions on resource and capacity 
further than two weeks. 


Once the design has been 
established, the processes, roles 
and responsibilities should be 
documented centrally within the 
HPI Operating Model. 
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an investigation and the 
Executive. The Executive must 
remain apart from investigative 
decision making in order to 
maintain the integrity of an 
investigation. 


ET do have a role to perform in 
providing appropriate challenge, 
checks and balances, the 
gateway for this is through the 
HPI monthly updates and 
dashboard and Directors 
meetings. 


Auditors initial feedback was 
complimentary of our capacity 
monitoring processes as one of 
the better mechanisms seen. 


The timeframes were explained 
as reflective of the dynamic 
nature of the HPI work at the time, 
responding dynamically to the 
needs of the COVID-19 response, 
which would vary on a daily basis. 
It meant that at the time of Audit, 
the longer-term assessments 
would be ineffective. We agree 
that as our Covid response starts 
to wind down, we can now reflect 
the longer term capacity planning. 
Longer term capacity planning 
was also executed through 


Responsibility 
JH 


Timescale end 
March 2021 


Observation/Risk Recommendation Priority | Management response Timescale/ 
responsibility 


investigations that may arise requiring immediate 
attention. 


Risk: Resource monitoring is short-sighted, 
leading to failure to prepare and manage 
demand of future investigations. 
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workforce planning. The level of 
capacity resource monitoring was 
appropriate for the specific role 
that HPI were performing 
regarding our operational needs 
and demands following Covid-19. 
| therefore consider the assessed 
risk is reduced significantly. 


A1 Audit Information 


Audit Control Schedule 


Anthony Luhman, Director of High Priority 
Investigations & Intelligence 

Melissa Mathieson, Head of High Priority 
Investigations 


Client contacts: 


Peter Cudlip, Partner 
Internal Audit Team: Darren Jones, Manager 
Chris Hogan, Senior Auditor 


Finish on site/ Exit 
meeting: 24 November 2020 
Last information 
received: 24 November 2020 


Draft report issued: 15 December 2020 


Management responses 


received: 4 February 2021 


Final report issued: 9 February 2021 


Scope and Objectives 


Audit objective: To provide assurance over the design and effectiveness 
of the key controls operating in relation to High Priority Investigations. 
Our review considered the following risks: 


e Methodology for approving an investigation — The ICO do not 
have a robust methodology and strategy for prioritising 
investigations, including consideration of regulatory priorities. 


Lower priority investigations are put ahead of high priority due to 
inadequate mechanisms to define ‘high priority’. 
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Investigations are not undertaken on the basis of real evidence- 
based intelligence. 


e Risk Assessments — The ICO do not appropriately risk assess 
investigations, in particular taking into consideration reputational 
risk to the ICO. 

Investigation risks are not outlined prior to commencement, leading 
to inadequate preparation of resource. 


e Approval of Investigations — New high priority investigations are 
not independently review and subsequently approved prior to 
commencement. 


e Resource — The ICO do not appropriately review resourcing 
requirements during budget setting processes and therefore do not 
have the enough resource to carry out investigations. 

Resource is not monitored throughout the year based on demand. 


e Investigation Monitoring — High priority investigations are not 
reviewed and approved at key/ decision making stages of the 
investigation. 

Progress of investigations is not scrutinised by management. 


e Reporting — Management are not provided with sufficient decision 
making information due to inadequate reporting of high priority 
investigations. 

Lessons learned are not shared following closure of investigations. 


The scope for the audit is concerned with assessing whether the ICO 
has in place adequate and appropriate policies, procedures and controls 
to manage the above risks. We will review the design of controls in 
place and, where appropriate, undertake audit testing of these to 
confirm compliance with controls, with a view to forming an opinion on 
the design, compliance with and effectiveness of controls. 


Testing will be performed on a sample basis, and as a result our work 
does not provide absolute assurance that material error, loss or fraud 
does not exist. 
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Definitions of Assurance Levels 


Level 


Substantial 
Assurance: 


Adequate 
Assurance: 


Limited 
Assurance: 


Description 


Our audit finds no significant weaknesses and we feel 
that overall risks are being effectively managed. The 
issues raised tend to be minor issues or areas for 
improvement within an adequate control framework. 


There is generally a sound control framework in place, 
but there are significant issues of compliance, 
efficiency or some specific gaps in the control 
framework which need to be addressed. Adequate 
assurance indicates that despite this, there is no 
indication that risks are crystallising. 


Weaknesses in the system and/or application of 
controls are such that the system objectives are put at 
risk. Significant improvements are required to the 
control environment. 


Definitions of Recommendations 


Priority 1 
(Fundamental) 


Priority 2 
(Significant) 


Priority 3 
(Housekeeping) 


Recommendations represent fundamental control 
weaknesses, which expose the organisation to a 
high degree of unnecessary risk. 


Recommendations represent significant control 
weaknesses which expose the organisation to a 
moderate degree of unnecessary risk. 


Recommendations show areas where we have 
highlighted opportunities to implement a good or 
better practice, to improve efficiency or further 
reduce exposure to risk. 
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Statement of Responsibility 


We take responsibility to the Information Commissioner’s Office (ICO) 
for this report which is prepared based on the limitations set out below. 


The responsibility for designing and maintaining a sound system of 
internal control and the prevention and detection of fraud and other 
irregularities rests with management, with internal audit providing a 
service to management to enable them to achieve this 

objective. Specifically, we assess the adequacy and effectiveness of 
the system of internal control arrangements implemented by 
management and perform sample testing on those controls in the 
period under review with a view to providing an opinion on the extent to 
which risks in this area are managed. 


We plan our work in order to ensure that we have a reasonable 
expectation of detecting significant control weaknesses. However, our 
procedures alone should not be relied upon to identify all strengths and 
weaknesses in internal controls, nor relied upon to identify any 
circumstances of fraud or irregularity. Even sound systems of internal 
control can only provide reasonable and not absolute assurance and 
may not be proof against collusive fraud. 


The matters raised in this report are only those which came to our 
attention during our work and are not necessarily a comprehensive 
statement of all the weaknesses that exist or all improvements that 
might be made. Recommendations for improvements should be 
assessed by you for their full impact before they are implemented. The 
performance of our work is not and should not be taken as a substitute 
for management’s responsibilities for the application of sound 
management practices. 


This report is confidential and must not be disclosed to any third party 
or reproduced in whole or in part without our prior written consent. To 
the fullest extent permitted by law Mazars LLP accepts no 
responsibility and disclaims all liability to any third party who purports 
to use or rely for any reason whatsoever on the Report, its contents, 
conclusions, any extract, reinterpretation amendment and/or 
modification by any third party is entirely at their own risk. 
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Contacts 


Peter Cudlip 
Partner, Mazars 
peter.cudlip@mazars.co.uk 


Darren Jones 
Manager, Mazars 
darren.jones@mazars.co.uk 


Mazars is an internationally integrated partnership, specialising in audit, accountancy, advisory, tax and legal services*. Operating in over 90 countries and 
territories around the world, we draw on the expertise of 40,400 professionals — 24,400 in Mazars’ integrated partnership and 16,000 via the Mazars North 
America Alliance — to assist clients of all sizes at every stage in their development. 


*where permitted under applicable country laws. 


www.mazars.co.uk 
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